random: update initskript for machines with low entropy

the script wait until crng is correct initialized before restore the
random seed and make some disc io to work around low entropy at boot
on some machines. Not really a fix but it should be better than reverting
CVE-2018-1108 fixes from kernel.

Signed-off-by: Arne Fitzenreiter <arne_f@ipfire.org>

config/rootfiles/common/aarch64/initscripts

@@ -117,6 +117,7 @@ etc/rc.d/rc0.d/S80mountfs
 etc/rc.d/rc0.d/S90swap
 etc/rc.d/rc0.d/S99halt
 #etc/rc.d/rc3.d
+etc/rc.d/rc3.d/S00random
 etc/rc.d/rc3.d/S01vnstat
 etc/rc.d/rc3.d/S10sysklogd
 etc/rc.d/rc3.d/S11unbound
@@ -130,7 +131,6 @@ etc/rc.d/rc3.d/S19wlanclient
 etc/rc.d/rc3.d/S20network
 etc/rc.d/rc3.d/S21leds
 etc/rc.d/rc3.d/S24cyrus-sasl
-etc/rc.d/rc3.d/S25random
 etc/rc.d/rc3.d/S30sshd
 etc/rc.d/rc3.d/S32apache
 etc/rc.d/rc3.d/S40fcron

config/rootfiles/common/armv5tel/initscripts

@@ -117,6 +117,7 @@ etc/rc.d/rc0.d/S80mountfs
 etc/rc.d/rc0.d/S90swap
 etc/rc.d/rc0.d/S99halt
 #etc/rc.d/rc3.d
+etc/rc.d/rc3.d/S00random
 etc/rc.d/rc3.d/S01vnstat
 etc/rc.d/rc3.d/S10sysklogd
 etc/rc.d/rc3.d/S11unbound
@@ -130,7 +131,6 @@ etc/rc.d/rc3.d/S19wlanclient
 etc/rc.d/rc3.d/S20network
 etc/rc.d/rc3.d/S21leds
 etc/rc.d/rc3.d/S24cyrus-sasl
-etc/rc.d/rc3.d/S25random
 etc/rc.d/rc3.d/S30sshd
 etc/rc.d/rc3.d/S32apache
 etc/rc.d/rc3.d/S40fcron

config/rootfiles/common/i586/initscripts

@@ -116,6 +116,7 @@ etc/rc.d/rc0.d/S80mountfs
 etc/rc.d/rc0.d/S90swap
 etc/rc.d/rc0.d/S99halt
 #etc/rc.d/rc3.d
+etc/rc.d/rc3.d/S00random
 etc/rc.d/rc3.d/S01vnstat
 etc/rc.d/rc3.d/S10sysklogd
 etc/rc.d/rc3.d/S12acpid
@@ -129,7 +130,6 @@ etc/rc.d/rc3.d/S20network
 etc/rc.d/rc3.d/S11unbound
 etc/rc.d/rc3.d/S21leds
 etc/rc.d/rc3.d/S24cyrus-sasl
-etc/rc.d/rc3.d/S25random
 etc/rc.d/rc3.d/S30sshd
 etc/rc.d/rc3.d/S32apache
 etc/rc.d/rc3.d/S40fcron

config/rootfiles/common/x86_64/initscripts

@@ -116,6 +116,7 @@ etc/rc.d/rc0.d/S80mountfs
 etc/rc.d/rc0.d/S90swap
 etc/rc.d/rc0.d/S99halt
 #etc/rc.d/rc3.d
+etc/rc.d/rc3.d/S00random
 etc/rc.d/rc3.d/S01vnstat
 etc/rc.d/rc3.d/S10sysklogd
 etc/rc.d/rc3.d/S12acpid
@@ -129,7 +130,6 @@ etc/rc.d/rc3.d/S20network
 etc/rc.d/rc3.d/S11unbound
 etc/rc.d/rc3.d/S21leds
 etc/rc.d/rc3.d/S24cyrus-sasl
-etc/rc.d/rc3.d/S25random
 etc/rc.d/rc3.d/S30sshd
 etc/rc.d/rc3.d/S32apache
 etc/rc.d/rc3.d/S40fcron

config/rootfiles/core/122/filelists/files

@@ -5,6 +5,7 @@ etc/rc.d/init.d/collectd
 etc/rc.d/init.d/firstsetup
 etc/rc.d/init.d/leds
 etc/rc.d/init.d/partresize
+etc/rc.d/init.d/random
 etc/rc.d/rc0.d/K87acpid
 etc/rc.d/rc3.d/S12acpid
 etc/rc.d/rc6.d/K87acpid

config/rootfiles/core/122/update.sh

@@ -117,6 +117,8 @@ if [ -e /boot/pakfire-kernel-update ]; then
 	/boot/pakfire-kernel-update ${KVER}
 fi
 
+mv /etc/rc.d/rc3.d/S??random /etc/rc.d/rc3.d/S00random
+
 case "$(uname -m)" in
 	i?86)
 		# Force (re)install pae kernel if pae is supported

lfs/initscripts

@@ -1,7 +1,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2007-2016  IPFire Team  <info@ipfire.org>                     #
+# Copyright (C) 2007-2018  IPFire Team  <info@ipfire.org>                     #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -16,7 +16,6 @@
 # You should have received a copy of the GNU General Public License           #
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
 #                                                                             #
-###############################################################################
 
 ###############################################################################
 # Definitions
@@ -131,7 +130,7 @@ $(TARGET) :
 	ln -sf ../init.d/unbound     /etc/rc.d/rc3.d/S11unbound
 	ln -sf ../init.d/unbound     /etc/rc.d/rc6.d/K79unbound
 	ln -sf ../init.d/random      /etc/rc.d/rc0.d/K45random
-	ln -sf ../init.d/random      /etc/rc.d/rc3.d/S25random
+	ln -sf ../init.d/random      /etc/rc.d/rc3.d/S00random
 	ln -sf ../init.d/random      /etc/rc.d/rc6.d/K45random
 	ln -sf ../../sysconfig/rc.local /etc/rc.d/rc3.d/S98rc.local
 	ln -sf ../init.d/client175   /etc/rc.d/rc0.d/K34client175

src/initscripts/system/random

@@ -1,28 +1,45 @@
 #!/bin/sh
-# Begin $rc_base/init.d/random
-
-# Based on sysklogd script from LFS-3.1 and earlier.
-# Rewritten by Gerard Beekmans  - gerard@linuxfromscratch.org
-# Random script elements by Larry Lawrence
-
 . /etc/sysconfig/rc
 . $rc_functions
 
+if [ -e /proc/sys/kernel/random/poolsize ]; then
+	poolsize=$(</proc/sys/kernel/random/poolsize);
+	poolsize=$(expr $poolsize / 8 );
+else
+	poolsize=512;
+fi
+
 case "$1" in
 	start)
-		boot_mesg "Initializing kernel random number generator..."
+
+		#CRNG init need 128bit so wait until there is more)
+		avail=$(</proc/sys/kernel/random/entropy_avail)
+		while [ $avail -lt 130 ]; do
+			avail=$(</proc/sys/kernel/random/entropy_avail)
+			boot_mesg -n "\rWait for entropy: $avail/130   "
+			# Generate some disc access to gather entropy
+			echo  avail > /var/tmp/random-tmpfile
+			sync
+			rm -f /var/tmp/random-tmpfile
+		done;
+
+		boot_mesg "\rInitializing kernel random number generator..."
 		if [ -f /var/tmp/random-seed ]; then
 			/bin/cat /var/tmp/random-seed >/dev/urandom
 		fi
+		touch /var/tmp/random-seed
+		chmod 600 /var/tmp/random-seed
 		/bin/dd if=/dev/urandom of=/var/tmp/random-seed \
-			count=4 &>/dev/null
+			count=1 bs=$poolsize &>/dev/null
 		evaluate_retval
 		;;
 
 	stop)
 		boot_mesg "Saving random seed..."
+		touch /var/tmp/random-seed
+		chmod 600 /var/tmp/random-seed
 		/bin/dd if=/dev/urandom of=/var/tmp/random-seed \
-			count=4 &>/dev/null
+			count=1 bs=$poolsize &>/dev/null
 		evaluate_retval
 		;;